Description
Cross-Site Scripting (XSS) vulnerability exists in HTMLy version 3.1.1 in the content creation functionality at the /add/content?type=image endpoint. The application fails to properly sanitize user input, allowing injection of arbitrary code
Published: 2026-04-28
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored cross‑site scripting vulnerability exists in the content creation endpoint of HTMLy version 3.1.1. The application fails to sanitize user input, allowing attackers to inject arbitrary HTML or JavaScript. If exploited, malicious code will run in the browsers of users who view the affected content, potentially leading to session hijacking, defacement, or other malicious actions. This flaw represents a classic cross‑site scripting weakness.

Affected Systems

The affected product is HTMLy, version 3.1.1. No other vendors or products were identified. Users of this specific version are directly impacted.

Risk and Exploitability

The CVSS score is 8.9, and the EPSS score is <1%, indicating that exploitation is unlikely but still possible. The flaw can be exploited by any user with access to the image creation endpoint. Because injected code executes in the victim’s browser, if the content is publicly viewable the impact is high. The vulnerability is not listed in CISA’s KEV catalog, indicating no confirmed exploits as of the last update. Nonetheless, the lack of proper input validation presents a significant risk that should be mitigated.

Generated by OpenCVE AI on May 10, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched version of HTMLy if one has been released by the vendor or community.
  • Sanitize user input on the /add/content?type=image endpoint by removing disallowed tags or using a trusted library such as OWASP Java HTML Sanitizer.
  • Implement a Content Security Policy that restricts inline scripts and eval usage to mitigate any exploitation.

Generated by OpenCVE AI on May 10, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 22:15:00 +0000

Type Values Removed Values Added
Title Stored Cross‑Site Scripting in HTMLy Content Creation

Sun, 10 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L'}

Wed, 29 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Danpros
Danpros htmly
Vendors & Products Danpros
Danpros htmly

Wed, 29 Apr 2026 02:00:00 +0000

Type Values Removed Values Added
Title Stored Cross‑Site Scripting in HTMLy Content Creation
Weaknesses CWE-79

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Scripting (XSS) vulnerability exists in HTMLy version 3.1.1 in the content creation functionality at the /add/content?type=image endpoint. The application fails to properly sanitize user input, allowing injection of arbitrary code
References

Subscriptions

Danpros Htmly
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-10T19:57:07.825Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38949

cve-icon Vulnrichment

Updated: 2026-04-29T13:25:43.028Z

cve-icon NVD

Status : Deferred

Published: 2026-04-28T19:37:38.937

Modified: 2026-05-10T20:16:28.647

Link: CVE-2026-38949

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T22:00:14Z

Weaknesses